From: Omkar Patil <[email protected]>

In libinput before 1.30.4 and 1.31.x before 1.31.3,
libinput-device-group unescaped phys output can inject
udev properties leading to arbitrary root code execution

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2026-50292]

Signed-off-by: Omkar Patil <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
(cherry picked from commit c8dea5c76f9a0386050345e9638a282fe4ec4bfe)
Signed-off-by: Yoann Congal <[email protected]>
---
 .../wayland/libinput/CVE-2026-50292.patch     | 79 +++++++++++++++++++
 .../wayland/libinput_1.30.2.bb                |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch

diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch 
b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch
new file mode 100644
index 00000000000..d2421aab105
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch
@@ -0,0 +1,79 @@
+From 76f0d8a7f57e2868882864b4611281f12f704b55 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <[email protected]>
+Date: Mon, 1 Jun 2026 10:48:24 +1000
+Subject: [PATCH] libinput-device-group: sanitize phys before printing it
+
+A malicious uinput device could set the phys value (via UI_SET_PHYS)
+to contain a '\n'. When the value is printed as part of the device group
+the udev rules will interpret it as separate property.
+
+Depending on the property this can cause local privilege escalation.
+
+Closes #1296
+
+Found-by: Csome
+Part-of: 
<https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1487>
+
+CVE: CVE-2026-50292
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55]
+
+Signed-off-by: Omkar Patil <[email protected]>
+---
+ udev/libinput-device-group.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
+index cdb38c0b..f9188406 100644
+--- a/udev/libinput-device-group.c
++++ b/udev/libinput-device-group.c
+@@ -107,7 +107,8 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+       udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
+               struct udev_device *d;
+-              const char *path, *phys;
++              _autofree_ char *phys = NULL;
++              const char *path;
+               const char *pidstr, *vidstr;
+               int pid, vid, dist;
+ 
+@@ -122,7 +123,7 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+               vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
+               pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
+-              phys = udev_device_get_sysattr_value(d, "phys");
++              phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
+ 
+               if (vidstr && pidstr && phys && safe_atoi_base(vidstr, &vid, 
16) &&
+                   safe_atoi_base(pidstr, &pid, 16) && vid == VENDOR_ID_WACOM 
&&
+@@ -134,7 +135,7 @@ wacom_handle_ekr(struct udev_device *device,
+                               best_dist = dist;
+ 
+                               free(*phys_attr);
+-                              *phys_attr = safe_strdup(phys);
++                              *phys_attr = steal(&phys);
+                       }
+               }
+ 
+@@ -151,7 +152,8 @@ main(int argc, char **argv)
+       int rc = 1;
+       struct udev *udev = NULL;
+       struct udev_device *device = NULL;
+-      const char *syspath, *phys = NULL;
++      _autofree_ char *phys = NULL;
++      const char *syspath = NULL;
+       const char *product;
+       int bustype, vendor_id, product_id, version;
+       char group[1024];
+@@ -175,8 +177,7 @@ main(int argc, char **argv)
+        * bit and use the remainder as device group identifier */
+       while (device != NULL) {
+               struct udev_device *parent;
+-
+-              phys = udev_device_get_sysattr_value(device, "phys");
++              phys = str_sanitize(udev_device_get_sysattr_value(device, 
"phys"));
+               if (phys)
+                       break;
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/wayland/libinput_1.30.2.bb 
b/meta/recipes-graphics/wayland/libinput_1.30.2.bb
index efd51809d8e..96531e8c54e 100644
--- a/meta/recipes-graphics/wayland/libinput_1.30.2.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.30.2.bb
@@ -16,6 +16,7 @@ SRC_URI = 
"git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;bra
            file://CVE-2026-35093.patch \
            file://CVE-2026-35094.patch \
            file://run-ptest \
+           file://CVE-2026-50292.patch \
            "
 SRCREV = "042c5e6fd9cc910307027a1522453794b29f2c72"
 
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239231): 
https://lists.openembedded.org/g/openembedded-core/message/239231
Mute This Topic: https://lists.openembedded.org/mt/119897526/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to